OK, panic—newly evolved ransomware is bad news for everyone

There’s something inherently world-changing about the latest round of crypto-ransomware that has been hitting a wide range of organizations over the past few months. While most of the reported incidents of data being held hostage have purportedly involved a careless click by an individual on an e-mail attachment, an emerging class of criminals with slightly greater skill has turned ransomware into a sure way to cash in on just about any network intrusion.

And that means that there’s now a financial incentive for going after just about anything. While the payoff of going after businesses’ networks used to depend on the long play—working deep into the network, finding and packaging data, smuggling it back out—ransomware attacks don’t require that level of sophistication today. It’s now much easier to convert hacks into cash.

Harlan Carvey, a senior security researcher at Dell SecureWorks, put it this way. “It used to be, back in the days of Sub7 and ‘joy riding on the Information Highway,’ that your system would be compromised because you’re on the Internet. And then it was because you’ve got something—you’ve got PCI data, PHI, PII, whatever the case may be. Then it was intellectual property. And now it’s to the point where if you’ve got files, you’re targeted.”

This week’s ransomware attack at Maryland’s MedStar Health hospital network is a prime example. For more than a week, 10 hospitals operated without access to their central networks, because the Windows servers controlling MedStar’s domains were locked down by the ransomware variant known as Samsam. Security firms report that there have been many other incidents with Samsam over the past few months. Some attacks have encrypted the contents of hundreds of servers and desktops.

The Samsam attacks have been so effective in part because the attackers have been able to gain administrative access to the Windows domains they’ve hit by taking advantage of a collection of relatively well-known exploits. These exploits, some of them years old, are still so widespread that a cursory scan by Cisco Talos Labs uncovered more than 2 million systems vulnerable just to the JBoss application server exploit used by the Samsam attackers.

Given the rapidly shifting nature of crypto-ransomware and the growing ambition and skill of those deploying it, things are going to get a lot worse for many organizations before they get better. Perhaps worse; it’s not as if people haven’t seen this coming.

Easy money

As a form of criminal business, crypto-ransomware is low-risk with an increasingly high yield. While the potential payoff of data theft can generate a lot of cash for cybercriminals—either through credit fraud, tax return fraud, or sale of identity information—crypto-ransomware provides a way to get paid directly by the victim with little risk of exposure. It taps into an already thriving market of Bitcoin transfer services and malware-as-a-service operators, allowing just about anyone to make money off a few unlucky victims.

At least so far, there’s also little fear of law enforcement tracking ransomware operators down. Many cases of crypto-ransomware attacks go unreported to law enforcement—or to anyone else, especially when the targets are companies. “Companies don’t like talking about these incidents because they’re worried they may escalate the situation they’re in or become targets for other attackers,” said security researcher Roel Schouwenberg. “Folks are also concerned that talking about these attacks in a public setting will encourage more criminals to go the targeted ransomware route.”

These attacks are becoming more targeted, at least in terms of how targets are chosen. Corporate and organizational e-mail accounts are increasingly the focus for phishing attacks, particularly with malware like Locky and Petya. Petya specifically targeted German corporate HR employees; Locky comes in on a Microsoft Office document often disguised as an invoice.

“The targeted attacks that I’m aware of started to become more prevalent over the course of 2015,” Schouwenberg told Ars. “I’m talking about a number of different threat actors, but it’s very hard to get the full picture. So far, the numbers are not near those of targeted network exploitation.”

The targeted phishing approach counts on convincing users to click on an attachment or link and sometimes actively change settings or give approval for the malware to be installed. But as attackers who have done network exploitation to steal data in the past have seen the payoff from ransomware and its disruptive effect on victims, they’ve clearly taken notice. Now, at least some of these criminals are employing ransomware themselves in a more direct way than phishers. This latest wave uses built-in system administration tools to help spread ransomware across the network or at least on systems where it will do the most damage.

The worst part of this new development is that there are likely already compromised systems in these networks or out-of-date or misconfigured software that can easily be compromised to help spread ransomware. As demonstrated by a number of documented attacks by the group spreading Samsam, the ransomware operators behind an attack today likely have access to the targeted network for weeks or months. These crypto-crooks can bide their time before springing an attack.

Part of that may be because attackers are waiting to see if their presence gets detected, judging whether the target is actively monitoring systems. It’s also likely that attackers simply have a long list of other networks to attack already in queue. In the current network climate, the operators of Samsam have a target-rich environment to go after.

Carvey emphasized that while the Samsam attacks have been associated so far with exploits of JBoss, future attacks could use any of the other well-known vulnerabilities already in circulation. “I’m waiting for the next one to come in where they didn’t have a JBoss server,” he said. “Somebody’s going to say, ‘We don’t use JBoss—we use IIS so we’re safe.'”

That thought was echoed by Craig Williams of Cisco’s Talos Research. He told Ars that the way ransomware was evolving, the next attacker could easily use a common content management system vulnerability to get in to launch their attack. One misconfigured Drupal server or an improper file permission setting on a file upload utility could easily lead to a backdoor into many organizations’ networks.

The 2014 hack of the University of Maryland’s network demonstrated how widespread these sorts of vulnerabilities are. A well-crafted Google search can reveal hundreds of backdoor “Web shells” installed that take advantage of misconfigured websites run on servers within organizations’ networks. Such a structure gives even the most casual attacker instant access to systems, and from there anyone can seemingly launch ransomware or other attacks.

Even in today’s increasingly security-minded world, many vulnerable systems never get patched well after problems are identified. This situation isn’t getting better—in fact, it may be accelerating in the other direction.

“People think of the Hollywood version of the hacker groups somewhere in a dark room devising these really innovative and creative kinds of techniques,” said Kevin Kelly, the CEO of LGS Innovations. His security company formed as a spinoff of the federal research arm for Bell Labs. “The reality is that most of the attack vectors are administrative vulnerabilities that creative and talented people have discovered over time, but they weren’t the work of some evil mastermind somewhere in a basement. The amount of software going into everything—including the Internet of Things, which is a booming marketplace—is just proliferating these vulnerabilities globally.”

The problem isn’t limited to Web applications. In the rush to develop mobile applications for employees and customers, organizations have often opened up whole new avenues for attack on the server-side. “The biggest problem I’ve seen—not unlike what you’re seeing with JBoss—is companies who have deployed a mobile app and maybe don’t realize that having a mobile app that gets information from a URI is putting an API on the Internet,” said Greg Brail, chief architect at the application program interface (API) platform provider Apigee. “Or they may have realized what they’re doing, but they didn’t realize how easy it was to discover.”

Often, those mobile application interfaces haven’t been properly secured—giving attackers insight into the companies’ server infrastructure and potentially offering even more channels for attack.